VirTool:Win32/Obfuscator.QV - Windows Defender Threat Analysis

VirTool:Win32/Obfuscator.QV is a concrete detection for an obfuscation tool designed to evade security and facilitate malicious activity. It abuses legitimate Windows utilities like mshta, regsvr32, rundll32, and PowerShell, while employing hooking, persistence via scheduled tasks, and remote file copying to hide and enable broader compromise.

Relevant strings associated with this threat:
 - hfre32.qyy (PEHSTR_EXT)
 - jf2_32.qyy (PEHSTR_EXT)
 - jvavarg.qyy (PEHSTR_EXT)
 - nqincv32.qyy (PEHSTR_EXT)
 - furyy32.qyy (PEHSTR_EXT)
 - agqyy.qyy (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

rule VirTool_Win32_Obfuscator_QV_2147716824_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "VirTool:Win32/Obfuscator.QV"
        threat_id = "2147716824"
        type = "VirTool"
        platform = "Win32: Windows 32-bit platform"
        family = "Obfuscator"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "23"
        strings_accuracy = "High"
    strings:
        $x_10_1 = {eb 09 0f be c9 c1 c0 07 33 c1 42 8a 0a 84 c9 75 f1}  //weight: 10, accuracy: High
        $x_10_2 = {8a 01 3c 61 7c 15 3c 7a 7f 11 0f be c0 83 e8 54 6a 1a 99 5f f7 ff 80 c2 61 eb 17 3c 41 7c 15 3c 5a 7f 11 0f be c0 83 e8 34 6a 1a 99 5f f7 ff 80 c2 41 88 11 41 80 39 00 75 c6}  //weight: 10, accuracy: High
        $x_1_3 = "hfre32.qyy" ascii //weight: 1
        $x_1_4 = "jf2_32.qyy" ascii //weight: 1
        $x_1_5 = "jvavarg.qyy" ascii //weight: 1
        $x_1_6 = "nqincv32.qyy" ascii //weight: 1
        $x_1_7 = "furyy32.qyy" ascii //weight: 1
        $x_1_8 = "agqyy.qyy" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (
            ((2 of ($x_10_*) and 3 of ($x_1_*))) or
            (all of ($x*))
        )
}

Immediately isolate the infected system. Conduct a full antivirus scan, remove all detected artifacts, and analyze system logs for persistence mechanisms or further compromise. Consider re-imaging the system to ensure complete eradication.